Pro-Adultery Dating Site Hacked

The extramarital-affair online dating website Ashley Madison has been hacked, and the hacking group taking credit has threatened to release full details for the site's subscribers, which reportedly number more than 37 million across 46 countries, unless the service shuts down.

The breach is a reminder that hackers can potentially expose not only the information that people share, but also the identities of those with whom they've shared it.

A hacking outfit billing itself as "The Impact Team" has threatened to release "all customer information databases, source code repositories, financial records, emails" tied to Ashley Madison. The attackers are demanding that Toronto-based parent company Avid Life Media shut down the dating site, as well as another one of its sites, called Established Men, according to information security blogger Brian Krebs, who broke the news of the hack. The Impact Team also released online a selection of stolen data, which has since been removed, as well as a manifesto.

Avid Life Media has confirmed that it was targeted via a hack attack, in what it now labels as being an act of "cyber-terrorism." The company runs multiple sites, including Ashley Madison - tagline: "Life is short. Have an affair." - which bills itself as a dating service designed for married people, as well as the single people who want to meet them; the Established Men dating site, which promises to connect "young, beautiful women with successful men"; and CougarLife.com, which caters to older, more career-oriented women who seek younger men.

The Impact Team's manifesto threatens to publish, a.k.a. "dox," the stolen data pertaining to customers unless Avid Life Media shuts down Ashley Madison and Established Men, although it issued no such demand for CougarLife, or the company's Swappernet.com or "The Big and the Beautiful" site. "We will release all customer records, profiles with all the customers' secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails," the manifesto reads.

Avid Life Media says in a statement released July 20 that it launched an investigation and brought in outside digital forensic experts after learning of the suspected intrusion. "At this time, we have been able to secure our sites, and close the unauthorized access points," Avid Life Media says. "We are working with law enforcement agencies, which are investigating this criminal act."

But later on July 20, cybersecurity expert Alan Woodward reported that the Ashley Madison website appeared to only be intermittently online, apparently after coming under sustained distributed denial-of-service attacks, although no one immediately claimed credit for any such disruption.

Missing: Discretion

The apparent Avid Life Media hack attack comes just two months after a hack attack against a similar hookup site, Adultfriendfinder.com, which bills itself as being a "thriving sex community" (see Dating Website Breach Spills Secrets).

"Companies such as these two, they completely rely on discretion," says Noa Bar-Yosef, a vice president at data exfiltration prevention firm enSilo. "For instance, with my bank, my trust is within my belief that it should secure my financials. If my money is going to be stolen, whether because a banker stole it or it wasn't put in the safe or whatever, I would stop banking there because that's the basis of my relationship with the bank."

London IPO Planned

Avid Life Media had been planning to launch an initial public offering - valuing the company at up to $200 million - later this year in London. Due to Europeans' more liberal attitude toward affairs, "Europe is the only region where we have a real chance of doing an IPO," Christoph Kraemer, the Avid Life Media's head of international relations, told Bloomberg earlier this year. The company reports that its Ashley Madison site saw sales of $115 million in 2014.

Avid Life Media previously aborted a planned $60 million IPO on the Toronto Stock Exchange in 2010.

Privacy Policy

Ashley Madison's privacy policy, listed as being last updated on Nov. 3, 2011, states: "We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to 'firewalls,' encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk."

But those technologies and practices appear to have been insufficient to protect the company's customers from having their personal details swiped.

One outstanding question is whether the hack attack will lead customers or prospective customers to avoid the site, because they no longer trust it. "I believe that somebody who would want to go to that site, that's the basic building block," Bar-Yosef says. "They've built their trust around the discretion. Now the minute that that trust is broken, the question [becomes] ... do they have even a demand now for their existence, because their whole existence was built on that trust."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;